PIC-Standard
Provenance & Intent Contracts
Local-first action gating for AI agents
PIC forces AI agents to prove every important action before it happens. Agents must declare intent, impact, provenance, and evidence — PIC verifies everything and fails closed if anything is wrong.
No more hallucinations turning into wire transfers. No more prompt injections triggering data exports.
A Slack message asks an LLM agent to send a $500 payment. PIC requires the agent to prove: Where did this instruction come from? Is the source trusted? Is there evidence the invoice is real?
The Slack message carries no trusted provenance, the claim has no backing evidence — PIC returns block. The payment tool never executes.
Quick Start
Try the verifier locally against a sample high-impact proposal in under a minute.
pip install pic-standardpic-cli verify examples/financial_irreversible.json
# Schema valid
# Verifier passed
# Evidence-aware verification (hash + signature)
pic-cli verify examples/financial_sig_ok.json --verify-evidencepip install "pic-standard[langgraph]" # LangGraph PICToolNode
pip install "pic-standard[mcp]" # MCP tool guarding
pip install "pic-standard[crypto]" # Ed25519 signature evidenceWhy PIC Exists
Guardrails constrain what the model says. PIC constrains what the agent is allowed to do based on verifiable provenance + evidence.
When an AI takes a meaningful action, most stacks still struggle to answer basic questions:
For low-risk tasks, that may be fine. For high-impact actions, it is not.
PIC was created to stop prompt injections and blind tool calls at the action boundary.
The PIC Contract
PIC is enforced at the moment before tool execution. The agent must emit a structured Action Proposal.
Intent
What action is being proposed
Impact
Risk class: money, privacy, irreversible, compute
Policy context
What rules apply and who enforces them
Provenance
Which inputs influenced the decision, with trust levels
Evidence
What can be checked independently (hashes, signatures)
Rule: For high-impact proposals, at least one claim must reference evidence from trusted provenance. Fail-closed.
How PIC Fits Into an Agent Stack
Proposal
The agent emits a structured action proposal.
Verification
A verifier checks policy, provenance, and evidence requirements.
Decision
The system allows, blocks, or escalates the action.
Auditability
The action can later be reviewed with clear evidence and reasoning context.
Works with your existing stack:
What This Enables
Safer execution
High-impact actions can be gated before they happen.
Clearer accountability
Operators can inspect what was proposed and why.
Portable trust layer
Verification can be separated from model behavior and moved into enforceable system boundaries.
Looking for Contributors
PIC is actively evolving, and outside contributors are welcome.
Interested in the problem space but not ready to code? Thoughtful review, issue feedback, and architecture discussion are valuable too.
Built for Technical Teams
PIC is being developed as a practical standard, not just a conceptual safety layer.
The project focuses on:
Relevant for teams working on:
Want to Shape Verifiable AI Actions?
Read the spec, review the repo, and explore contribution areas.
PIC is for builders who think "agent capability" is not enough without enforceable trust.
If you find PIC useful, a star helps attract more security experts and framework authors into the community.